def test_filter_do_not_report_anything(single_security_group_one_cidr_ingress):
    mock_config = Config(
        rules=["EC2SecurityGroupMissingEgressRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
        rules_config={
            "EC2SecurityGroupMissingEgressRule":
            RuleConfig(filters=[
                Filter(
                    rule_mode=RuleMode.WHITELISTED,
                    eval={"eq": [{
                        "ref": "config.stack_name"
                    }, "mockstack"]},
                )
            ], )
        },
    )
    rules = [
        DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
    ]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(
        single_security_group_one_cidr_ingress, mock_config)

    assert result.valid
def test_non_matching_filters_are_reported_normally(
        single_security_group_one_cidr_ingress):
    mock_config = Config(
        rules=["EC2SecurityGroupMissingEgressRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
        rules_config={
            "EC2SecurityGroupMissingEgressRule":
            RuleConfig(filters=[
                Filter(rule_mode=RuleMode.WHITELISTED,
                       eval={
                           "eq": [{
                               "ref": "config.stack_name"
                           }, "anotherstack"]
                       })
            ], )
        },
    )
    rules = [
        DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
    ]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(
        single_security_group_one_cidr_ingress, mock_config)

    assert result.valid
    assert len(result.failed_rules) == 0
    assert len(result.failed_monitored_rules) == 1
    assert result.failed_monitored_rules[
        0].rule == "EC2SecurityGroupMissingEgressRule"
    assert (
        result.failed_monitored_rules[0].reason ==
        "Missing egress rule in sg means all traffic is allowed outbound. Make this explicit if it is desired configuration"
    )
def test_filter_works_as_expected(template_two_roles_dict, expected_result_two_roles):
    config = Config(
        rules=["CrossAccountTrustRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
        rules_config={
            "CrossAccountTrustRule": RuleConfig(
                filters=[
                    Filter(
                        rule_mode=RuleMode.WHITELISTED,
                        eval={
                            "and": [
                                {"eq": [{"ref": "config.stack_name"}, "mockstack"]},
                                {"eq": [{"ref": "logical_id"}, "RootRoleOne"]},
                            ]
                        },
                    )
                ],
            )
        },
    )
    rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(template_two_roles_dict, config)

    assert not result.valid
    assert result.failed_rules[0] == expected_result_two_roles[-1]
Exemplo n.º 4
0
def test_non_matching_filters_are_reported_normally(
        invalid_security_group_range):
    mock_config = Config(
        rules=["EC2SecurityGroupOpenToWorldRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
        rules_config={
            "EC2SecurityGroupOpenToWorldRule":
            RuleConfig(filters=[
                Filter(rule_mode=RuleMode.WHITELISTED,
                       eval={
                           "eq": [{
                               "ref": "config.stack_name"
                           }, "anotherstack"]
                       })
            ], )
        },
    )
    rules = [
        DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
    ]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(invalid_security_group_range,
                                           mock_config)

    assert not result.valid
    assert result.failed_rules[0].rule == "EC2SecurityGroupOpenToWorldRule"
    assert (
        result.failed_rules[0].reason ==
        "Port(s) 0-79, 81-100 open to public IPs: (11.0.0.0/8) in security group 'SecurityGroup'"
    )
def test_filter_do_not_report_anything(bad_template):
    mock_config = Config(
        rules=["EC2SecurityGroupIngressOpenToWorldRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
        rules_config={
            "EC2SecurityGroupIngressOpenToWorldRule":
            RuleConfig(filters=[
                Filter(
                    rule_mode=RuleMode.WHITELISTED,
                    eval={
                        "and": [
                            {
                                "eq": [{
                                    "ref": "config.stack_name"
                                }, "mockstack"]
                            },
                            {
                                "eq": [{
                                    "ref": "ingress.FromPort"
                                }, 46]
                            },
                        ]
                    },
                )
            ], )
        },
    )
    rules = [
        DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
    ]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(bad_template, mock_config)

    assert result.valid
Exemplo n.º 6
0
def test_exist_function_and_property_exists(
        template_cross_account_role_with_name):
    mock_config = Config(
        rules=["CrossAccountTrustRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
        rules_config={
            "CrossAccountTrustRule":
            RuleConfig(filters=[
                Filter(
                    rule_mode=RuleMode.WHITELISTED,
                    eval={
                        "and": [
                            {
                                "and": [
                                    {
                                        "exists": {
                                            "ref":
                                            "resource.Properties.RoleName"
                                        }
                                    },
                                    {
                                        "regex": [
                                            "^prefix-.*$", {
                                                "ref":
                                                "resource.Properties.RoleName"
                                            }
                                        ]
                                    },
                                ]
                            },
                            {
                                "eq":
                                [{
                                    "ref": "principal"
                                },
                                 "arn:aws:iam::999999999:role/[email protected]"
                                 ]
                            },
                        ]
                    },
                ),
            ])
        },
    )

    rules = [
        DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
    ]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(
        template_cross_account_role_with_name, mock_config)
    assert result.valid
def test_non_matching_filters_are_reported_normally(template_two_roles_dict, expected_result_two_roles):
    mock_config = Config(
        rules=["CrossAccountTrustRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
        rules_config={
            "CrossAccountTrustRule": RuleConfig(
                filters=[
                    Filter(rule_mode=RuleMode.WHITELISTED, eval={"eq": [{"ref": "config.stack_name"}, "anotherstack"]})
                ],
            )
        },
    )
    rules = [DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(template_two_roles_dict, mock_config)
    assert not result.valid
    assert result.failed_rules == expected_result_two_roles
def test_filter_do_not_report_anything(template_two_roles_dict):
    mock_config = Config(
        rules=["CrossAccountTrustRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
        rules_config={
            "CrossAccountTrustRule": RuleConfig(
                filters=[
                    Filter(rule_mode=RuleMode.WHITELISTED, eval={"eq": [{"ref": "config.stack_name"}, "mockstack"]})
                ],
            )
        },
    )
    rules = [DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(template_two_roles_dict, mock_config)

    assert result.valid
Exemplo n.º 9
0
from cfripper.config.filter import Filter
from cfripper.config.rule_config import RuleConfig
from cfripper.model.enums import RuleMode

# RULES_CONFIG is here a list of RuleConfig instead of a dict with the rule names as keys
RULES_CONFIG = [
    RuleConfig(filters=[
        Filter(
            rule_mode=RuleMode.ALLOWED,
            eval={
                "and": [
                    {
                        "eq": [{
                            "ref": "config.stack_name"
                        }, "mockstack"]
                    },
                    {
                        "eq": [{
                            "ref": "logical_id"
                        }, "RootRoleOne"]
                    },
                ]
            },
        )
    ], )
]
from cfripper.config.rule_config import RuleConfig

RULES_CONFIG = {"CrossAccountTrustRule": RuleConfig()}
from cfripper.config.rule_config import RuleConfig
from cfripper.config.rule_configs.allow_http_ports_open_to_world import (
    allow_http_ports_open_to_world_rules_config_filter, )
from cfripper.config.rule_configs.firehose_ips import firehose_ips_rules_config_filter
from cfripper.model.enums import RuleMode

RULES_CONFIG = {
    "EC2SecurityGroupMissingEgressRule":
    RuleConfig(rule_mode=RuleMode.DISABLED),
}

FILTERS = [
    allow_http_ports_open_to_world_rules_config_filter,
    firehose_ips_rules_config_filter
]